New Member

Has any seen this one floating around? When a USB is inserted in a machine all the files and folders turn into shortcuts and a hidden folder with .js files is created on the USB as well as the machine.

There are a tonne of ways to remove it but nothing really to totally prevent it from happening. Having trouble finding what the actual source is and what's creating the js files.

Retired Staff

I'm thinking it had to be Windows XP because USB autorun is disabled by default on Vista, Windows 7 and 8.

The user would have to manually open the USB in Windows Explorer and manually run the infected file in order for this to happen on modern Windows.

Just connecting the USB device on modern Windows would not cause an infection unless the user has manually changed USB autorun settings or failed to apply Windows Updates that disabled USB autorun function.

New Member

This is on a Windows 7 in an enterprise environment, Autoplay is on but Autorun is disabled via group policy.

It's a very odd occurrence and has McAfee support team stumped as well. Hopefully a remote session with their engineer will give us more information.

It's very discreet in how it happens, user will plug a USB into a machine and when they access the USB they see all their folders have been modified. The user doesn't actually execute anything which makes it really odd.

New Member

Yes I'm sure the users would have done that. McAfee have just remoted in and also found a scheduled task that recreates the .js files if they are deleted. Thanks for the MS Article, it's looking like that at the moment.

Retired Staff

This is on a Windows 7 in an enterprise environment, Autoplay is on but Autorun is disabled via group policy.

It's a very odd occurrence and has McAfee support team stumped as well. Hopefully a remote session with their engineer will give us more information.

It's very discreet in how it happens, user will plug a USB into a machine and when they access the USB they see all their folders have been modified. The user doesn't actually execute anything which makes it really odd.

Possibly one of the users did run an malicious executable file and if on a shared network, it infected other systems. Another possibility is one of the systems on the share network was already infected and the malicious file copied itself to the USB device, which means the infection did not originate from the USB device. With auto run disabled it would be impossible for a malicious file to run on its own. Someone had to execute the process.

We use cookies to improve your browsing experience on our site, show personalized content and targeted ads, analyze site traffic, and understand where our audience is coming from.
By continuing to use this site, you are consenting to our use of cookies.